Execution environment file inventory
First Claim
1. One or more computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:
- intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers;
allow the operation request based on a determination that the targeted container is not identified in an inventory of protected containers in the system of containers;
block an additional operation request to change one or more of the containers in the system of containers if the additional operation request would cause a delta of the inventory from a gold image inventory to exceed a threshold, wherein the delta is quantified as an absolute number of items in the inventory, as a ratio of a size of the inventory to a size of the gold image inventory, or as a ratio of a size of an intersection of the inventory and the gold image inventory to the size of the gold image inventory;
determine a new executable file was created by allowing the operation request;
identify an entity that performed an initiation of the operation request; and
update the inventory of protected containers with an identifier of the new executable file based, at least in part, on a determination that the identified entity is authorized, based on a change authorization policy, to make changes to the targeted container.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.
428 Citations
17 Claims
-
1. One or more computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:
-
intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers; allow the operation request based on a determination that the targeted container is not identified in an inventory of protected containers in the system of containers; block an additional operation request to change one or more of the containers in the system of containers if the additional operation request would cause a delta of the inventory from a gold image inventory to exceed a threshold, wherein the delta is quantified as an absolute number of items in the inventory, as a ratio of a size of the inventory to a size of the gold image inventory, or as a ratio of a size of an intersection of the inventory and the gold image inventory to the size of the gold image inventory; determine a new executable file was created by allowing the operation request; identify an entity that performed an initiation of the operation request; and update the inventory of protected containers with an identifier of the new executable file based, at least in part, on a determination that the identified entity is authorized, based on a change authorization policy, to make changes to the targeted container. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
a computer system including logic, the logic at least partially comprising hardware logic; and a storage system including a system of containers, the system of containers including a plurality of protected containers that collectively form an inventory of protected containers, wherein the logic, when executed on the computer system, is to intercept, dynamically, an operation request that is to affect a targeted container in the system of containers; allow the operation request based on a determination that the targeted container is not identified in the inventory of protected containers in the system of containers; block an additional operation request to change one or more of the containers in the system of containers if the additional operation request would cause a delta of the inventory from a gold image inventory to exceed a threshold, wherein the delta is quantified as an absolute number of items in the inventory, as a ratio of a size of the inventory to a size of the gold image inventory, or as a ratio of a size of an intersection of the inventory and the gold image inventory to the size of the gold image inventory; determine a new executable file was created by allowing the operation request; identify an entity that performed an initiation of the operation request; and update the inventory of protected containers with an identifier of the new executable file based, at least in part, on a determination that the identified entity is authorized, based on a change authorization policy, to make changes to the targeted container. - View Dependent Claims (13, 14, 15)
-
-
16. A method of managing a system of containers accessible to a computer system by using an inventory of a plurality of protected containers in the system of containers, the method comprising:
-
intercepting, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers; allowing the operation request based on a determination that the targeted container is not identified in an inventory of protected containers in the system of containers; blocking an additional operation request to change one or more of the containers in the system of containers if the additional operation request would cause a delta of the inventory from a gold image inventory to exceed a threshold, wherein the delta is quantified as an absolute number of items in the inventory, as a ratio of a size of the inventory to a size of the gold image inventory, or as a ratio of a size of an intersection of the inventory and the gold image inventory to the size of the gold image inventory; determining a new executable file was created by allowing the operation request; identifying an entity that performed an initiation of the operation request; and updating the inventory of protected containers with an identifier of the new executable file based, at least in part, on a determination that the identified entity is authorized, based on a change authorization policy, to make changes to the targeted container. - View Dependent Claims (17)
-
Specification